Xbox One – Capturing the Configuration Traffic

One of the fun things about working at Secure Ideas are the conversations that we have about different technologies and platforms. One of my favorites are the ongoing discussion that Kevin and I have had about the Xbox Live platform and now the Xbox One. A bit before the Xbox One was released we decided to seriously look at the new gaming platform. So two weeks ago my shiny new Xbox One (X1) arrived and while the kids were at school, I set it up and started gathering information on it. (The kids didn’t know I was getting this until I pulled it out for Christmas.)

Before launching into the setup of the X1, here are some of what we are interested in on this gaming platform:

Facial recognition – What privacy concerns are involved with this feature and are there any problems with how it is implemented?

Social media – Xbox Live Gold is a social network for gamers. What privacy concerns are here?

Microphone and camera in your living room – The X1 microphone is always on and listening. I’m not sure what the state of the camera is while the X1 is off. How could this be abused? Can some creep turn on recording of what’s going on and access it some how?

Implementation flaws – Are there any security problems with the way the X1 has its features implemented? Is data in the clear that shouldn’t be?

The first thing I wanted to do was collect as much information as I could about the X1’s setup process. To do that, I used the wired network connection to setup the X1 and put a Throwing Star LAN Tap Pro in the middle.

The bi-directional arrows indicate the ports that traffic will be flowing through. One of these ports was connected to the X1 and the other to my switch. I then added two Ethernet adapters to a spare Mac and plugged them into the read-only ports of the tap. In this case, these are the two ports with the single direction arrows. One thing to keep in mind is that each of my network adapters are only seeing half of the conversation as it goes by. For example, en5 will only see the traffic leaving the X1 and en6 only sees the data going to the X1.

With the physical setup complete, it was time to start my packet captures and fire up the X1! I decided to just use tcpdump to capture the data and use Wireshark for analysis later. (Xquartz wasn’t setup on the system I used to capture the traffic, hence the decision to use tcpdump.) I opened up two terminals and ran:

-X = When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.

-S = Print absolute, rather than relative, TCP sequence numbers

-s = Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. I set this to 0 to capture a data available in each packet.

-w = Write the captured data out to a file rather than displaying to standard out.

Each command referenced a different network adapter and wrote to a separate pcap. With tcpdump up and running, I turned on the X1 and started the setup process.

Analysis of the data I collected is still to come and will be in a future blog post. However, the setup process allowed me to capture a lot of data. For example, I captured a large system update, setting up my profile and the ability to sign in by just being in the room. (The facial sign in feature has already been fun as it creeped my wife out by signing her in when she sat on the couch next to me last night. 🙂

More to come soon!

Jason Wood is a Senior Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.